Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #71

September 07, 2007

A surprising thing happened on Wednesday. The Chief Information Security Officer of one of the large federal agencies registered to attend SANS' Hacker Exploits class taught by Ed Skoudis. It wasn't surprising that someone signed up: more than 8,000 security people have taken Ed's course; nearly all of them say it is the best course they have ever attended on any topic and many come back for updates. But it was surprising (and newsworthy) that a senior security manager with a multi-million dollar budget and responsibility for security policy and management across a vast agency, would decide that he needs to take a week of his time to learn how attackers actually penetrate the defenses and what it takes to block those attacks.

His decision is part of the evidence demonstrating that the security field has reached a tipping point. As this week's news about successful Chinese attacks on DoD and the UK Foreign Office amply demonstrate, the attackers have broken through the defenses that traditional security management and security awareness programs have put in place.

Why did the defenses fail? The answer appears to be that attackers have grown more sophisticated and security professionals did not have the technical security skills to find the penetrations, clean them up, and make sure they don't happen again. The director of one of the largest security consulting firms in Washington painted the picture most starkly at a luncheon a few months ago, telling a group of policy makers, "Eighty percent of our security consultants have soft skills and only twenty percent have hard skills. If we don't reverse that ratio within the next two years, we'll be out of business."

The CISO who decided to take Ed's course is in the vanguard of a major shift from soft security skills to hard skills. He is leading by example. Alan

How good are the courses? Here's what past attendees said: "An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life) "This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton) "You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

TOP OF THE NEWS

Seattle Police have arrested Gregory Thomas Kopiloff for allegedly using file-sharing software to gather information used in identity fraud. Kopiloff allegedly used Limewire and Soulseek peer-to-peer (P2P) file sharing programs to dig through other users' computers for financial data. He then allegedly opened credit cards with that information, made more than US $ 37,000 in purchases, and resold them at discounts. Charges against Kopiloff include mail fraud, accessing a protected computer, and two counts of aggravated identity theft. This appears to be the first case of someone being arrested for using P2P software to deliberately commit identity fraud. -http://www.forbes.com/feeds/ap/2007/09/06/ap4091243.html

The US House of Representatives may vote this week on a bill that would require all evoting machines to produce a verifiable paper audit trail. If it becomes law, the Voter Confidence and Increased Accessibility Act would require all evoting machines used in November 2008 elections to provide this capability. The bill would also mandate random audits of three percent of results in all precincts, and evoting machines that use wireless technology or are connected to the Internet would be prohibited. For the bill to become law, similar legislation would need to pass in the Senate. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9034561&source=rss_topic17[Editor's Note (Schultz): Sooner or later, a bill that mandates paper audit trails in eVoting systems will be signed into law in the US. In the meantime, it is safe to predict that special interest groups, eVoting manufacturers very much included, will launch a ferocious opposition effort. ]

A federal district court decision has stripped the Justice Department and FBI of their powers to wiretap telecommunications and Internet traffic without court orders. In addition, DoJ and the FBI can no longer impose gag orders to prevent recipients of National Security letter wiretap notices from talking about their existence. Enforcement of the ruling has been stayed 90 days to allow time for the government to appeal. -http://www.gcn.com/online/vol1_no1/44973-1.html?topic=security&CMP=OTC-RSS[Editor's Note (Schultz): This ruling may indicate that a shift in the balance between power given to law enforcement and privacy protection is finally occurring. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

The recent theft of a laptop computer holding personally identifiable information of more than 100,000 Connecticut state taxpayers has underscored some of the problems inherent in permitting employees to be more mobile. Connecticut is stepping up laptop use among state employees as a precautionary measure in the event of a catastrophe. For instance, if there is severe weather, a physical attack or a medical epidemic, workers would be able to continue to work at their jobs from remote locations. Use of the state's virtual private network (VPN) has increased approximately 30 percent in the past year. The theft of the laptop from the Department of Revenue Services was reported within hours of its occurrence, but forensic specialists took about 11 days to determine what information it held. There is also an investigation into why so much information was on one laptop. Policy dictates that the computer should hold only information pertinent to current work. -http://www.nhregister.com/site/news.cfm?newsid=18777364&BRD=1281&PAG=461&dept_id=590581&rfi=6[Editor's Note (Schmidt): I think telecommuting is something that make tremendous sense but what make no sense is why encryption is not being used despite story after story like this. I say yet once again: ENCRYPT, ENCRYPT, ENCYRPT! ]

POLICY & LEGISLATION

Proposed legislation in California would prohibit employers from requiring employees to have radio frequency identification (RFID) chips implanted under their skin. The bill has passed the California senate and now goes before Governor Schwarzenegger for his signature. Opponents of the bill call it "a solution looking for a problem." However, a video surveillance company in Ohio has required certain employees to have chips implanted as a security measure. -http://www.vnunet.com/vnunet/news/2197977/california-senate-bans[Editor's Note (Northcutt): If you are finding it hard to get all worked up about RFID here are two sites with spooky stories: -http://www.illuminati-news.com/RFID.htm-http://www.epic.org/privacy/rfid/(Pescatore): Hmmm, I would *love* to see national legislation preventing employers from getting under employee's skins....]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple Issues iTunes Update (September 6, 2007)

Apple has released updates for both the OS X and Windows versions of iTunes to address a remote code execution vulnerability in version 7.4 of the media player. The flaw lies in the cover art display system and could be exploited via a maliciously crafted file. -http://www.vnunet.com/vnunet/news/2198233/apple-slips-security-fix-itunes[Editor's Note (Skoudis): I was just commenting at lunch yesterday to a friend how "Cover Flow", the animated view of album covers in iTunes, is propagating to almost every Apple product: the new iPods (Nano, Classic, Touch), the iPhone, and even the new Mac OS X version, 10.5. The latter, codenamed Leopard, has Cover Flow as a file view option in the Mac Finder, for looking at files in directories, whether they are music-related or not. I'm hoping they clean up any Cover Flow vulnerabilities in all of the products where they exist. This vulnerability illustrates the dangers of code sharing across products, and how carefully such shared code needs to be reviewed. This kind of reminds me of the GDI+ DLL fiasco in 2004 with the JPEG flaw in Windows. ]

QuickBooks' Online Vulnerabilities (September 5, 2007)

ActiveX control flaws in QuickBooks Online Edition could allow attackers to place malware on vulnerable computers or even access files from that computer. Attackers would need to manipulate users into opening a specially crafted HTML email or visiting a seeded website. The flaws exist in QuickBooks Online Edition version 9; users are urged to upgrade to version 10 or disable the control. The ActiveX control in question "fails to properly restrict access to dangerous methods." -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9034519&source=rss_topic17-http://www.kb.cert.org/vuls/id/979638[Editor's Note (Kreitner): It's good to see some attention being paid (by Apple and Intuit) to application security. As important as operating system security is, people buy computers to run applications, typically built on a software stack consisting of OS, middleware, and applications. Applications should be designed to run on hardened OS and middleware. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Pfizer Acknowledges Another Data Security Breach (September 6, 2007)

Pfizer has acknowledged that a former employee downloaded sensitive information from its computer systems some time last year. Pfizer discovered the incident on July 10, 2007 and began notifying affected employees on August 24. The exposed data include names, Social Security Numbers (SSNs), dates of birth, and bank and credit card information. The breach may affect as many as 34,000 employees. This is the third data breach Pfizer has acknowledged within four months. In June, personal data of approximately 17,000 people were exposed when an employee's spouse placed file sharing software on a work computer. In July, two laptops and other data were stolen from a contractor's locked car. -http://www.pcworld.com/article/id,136828-c,networksecurity/article.html

Stolen Johns Hopkins Hospital Computer Returned (September 4,2007)

A computer that was stolen from Johns Hopkins Hospital on July 15, 2007 has been recovered. A Baltimore lawyer turned the desktop computer over to hospital security; he learned of its location from a client, but could provide no more information as he was bound by attorney-client privilege. A preliminary inspection indicated the computer was never turned on after it was stolen; the computer contains patient data. Johns Hopkins Hospital plans to bring in an IT forensics expert to conduct a thorough examination of the PC. -http://www.baltimoresun.com/news/health/bal-computer0904,0,500185.story

MISCELLANEOUS

A spokesperson for China's Foreign Ministry has denied allegations that the country is behind a June attack on Pentagon computer systems, calling the assertion "totally groundless and a reflection of Cold war mentality," adding "The Chinese government has always [been ] opposed to and forbidden any criminal acts undermining computer systems including hacking. We have explicit laws and regulations in this regard." Recent claims that China was behind attacks on German government systems were similarly dismissed. A report in the Financial Times indicated that an attack on Pentagon computers resulted in the shut down of a number of systems, including one that serves the office of the secretary of defense. -http://www.eweek.com/article2/0,1759,2179704,00.asp[Editor's Note (Honan): In the past few days, China has also been accused of hacking into UK government systems including those of the UK's Foreign Office. See -http://www.timesonline.co.uk/tol/news/world/asia/article2393979.ece?print=yes and -http://www.guardian.co.uk/technology/2007/sep/04/news.internet/print(Ullrich): Does it actually matter whether China acknowledges its involvement. Nation states have been using hacking against each other for years, whether they consider themselves friends or foes in other matters. ]

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

You've invested in access controls, cryptography, IPS, IDS and firewalls to protect your company from security breaches, but are you testing these security barriers to make sure they're actually effective? New vulnerabilities are discovered daily and attacks are constantly evolving. Security testing is now a critical best practice for effectively standing up to this shifting threat landscape.

The stakes have never been higher for organizations that process and store sensitive information on customers and employees. This webcast will explore the business drivers for encryption of system disks and provide the results of a hands-on evaluation comparing SeagateR DriveTrustT against a software-based approach.

This webcast will focus on the trend toward reuniting Access and Identity and why it is important to consider strong authentication right from the planning phase of a remote access project. We will also review key criteria associated with choosing and deploying two-factor authentication in an enterprise environment.

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/